Hello, We have a workspace with all our DCs. I am trying to find a specific eventID (5139) which occur when someone mode an AD object. At first I tried the simplest query : SecurityEvent | where EventID == "5139" But it returned nothing. I went to a specific DC, moved computers in AD, and I was able to clearly see the events in the Security log on the DC. After a few minutes, I went back in Log Analytics and used this query : SecurityEvent | where Computer == "xxxxxxxxxxx" and EventID == "5139" xxxxxxxxxxx is the DC. Again, nothing has been found. I reduced the time range with 2 minutes before and 2 minute atfer the event occured. Again nothing. I removed the eventid in the where clause to see all the events in the 4 minutes time lapse and evry events where there except the 5139 !! I tried on another DC and had the exact same problem. All the events an be found except the 5139. I can find the events 4624, 4648, 4672, 5137 but no 5139.
What am I missing here ? How is it possible that a single eventID number cannot be found in Log Analytics.
No problem. Basically now you are using ASC already as that functionality is under ASC now. From security center dashboard if you open Security policy blade you will see your subscriptions and your workspaces. Click on edit settings for workspace should take you to the configuration of the workspace for ASC setting. There you can set the workspace data collection settings without having to explicitly enable ASC Standard tier as well. There are two options there: pricing tier - when set to standard basically deploys the Security and Audit solution (when it was in OMS). Data collection will allow you to set the settings on events collection. Hope this helps.